{"id":"PYSEC-2018-13","details":"An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '\u003e' character from an IMG tag.","aliases":["CVE-2018-5773","GHSA-p6h9-gw49-rqm4"],"modified":"2023-11-08T04:00:20.840570Z","published":"2018-01-18T21:29:00Z","references":[{"type":"REPORT","url":"https://github.com/trentm/python-markdown2/issues/285"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-p6h9-gw49-rqm4"}],"affected":[{"package":{"name":"markdown2","ecosystem":"PyPI","purl":"pkg:pypi/markdown2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.6"}]}],"versions":["1.0.1.10","1.0.1.11","1.0.1.12","1.0.1.13","1.0.1.14","1.0.1.15","1.0.1.16","1.0.1.17","1.0.1.18","1.0.1.19","1.0.1.6","1.0.1.7","1.0.1.8","1.0.1.9","1.1.0","1.1.1","1.2.0","1.3.0","1.3.1","1.4.0","1.4.1","1.4.2","2.0.0","2.0.1","2.1.0","2.2.0","2.2.1","2.2.2","2.2.3","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/markdown2/PYSEC-2018-13.yaml"}}],"schema_version":"1.7.3"}